Skip to content

1.14.0-snapshot.3

Pre-release
Pre-release
Compare
Choose a tag to compare
@aanm aanm released this 01 Jun 22:41
· 11200 commits to main since this release
v1.14.0-snapshot.3

Summary of Changes

Major Changes:

  • Add TLSRoute support to GatewayAPI (#25106, @meyskens)
  • New high-scale ipcache mode to support clustermeshes with millions of pods. (#25148, @pchaigno)
  • Support for deploying Cilium L7 Proxy (Envoy) independently as a separate DaemonSet for availability, performance, and security benefits. (#25081, @mhofstetter)

Minor Changes:

  • add native tunnel encapsulation support for the XDP Loadbalancer (#24422, @julianwiedmann)
  • Add Prometheus metrics support to clustermesh-apiserver (#25316, @giorio94)
  • Add support for allocating PodCIDRs from multiple IPAM pools (#22762, @gandro)
  • Add support for paginated lists in etcd, and propagate config options (#25469, @giorio94)
  • Add support for setting BGP timer parameters in CiliumBGPNeighbor CRD (#25408, @rastislavs)
  • Allow to disable external workloads support in clustermesh-apiserver to improve performance when not needed. (#25259, @giorio94)
  • Cilium now supports chaining with arbitrary CNI plugins. To use, set the Helm value cni.chainingTarget. (#24956, @squeed)
  • clustermesh-apiserver: expose information about completion of initial synchronization through etcd (#25388, @giorio94)
  • clustermesh-apiserver: rework services synchronization to improve performance (#25260, @giorio94)
  • cmd/cleanup: add socketlb program cleanup (#25136, @rgo3)
  • DNS Proxy binds to loopback interfaces only (#25309, @mhofstetter)
  • dns proxy: Only reuse DNS proxy port when it's free (#25466, @anfernee)
  • envoy: Add idle timeout configuration option (#25214, @sayboras)
  • Fix CIDR json tag in CNP CIDRRule (#25617, @pippolo84)
  • Fixed incorrectly rendered chart when specified both configMap and customConf (#25200, @marseel)
  • helm: Bump default spire image version (#25444, @sayboras)
  • helm: deprecate clustermesh CA configuration in favor of the global CA configuration (#25010, @giorio94)
  • helm: Improve spire template (#25589, @sayboras)
  • High-Scale IPcache: Chapter 3 (#25438, @pchaigno)
  • identity/cache: fix panic when re-init of cache after close. (#25269, @tommyp1ckles)
  • multi-pool: Determine IP pool based on ipam.cilium.io/ip-pool annotation (#25511, @gandro)
  • operator/ipam/metrics: Add new, more accurate, per-node available/used/needed metrics to deprecated existing ipam_ips metric. (#24776, @tommyp1ckles)
  • Replace wait-for-it in SPIRE setup with a busybox script (#24959, @meyskens)
  • Significantly reduce Hubble flow traffic by transmitting only requested information (#23198, @AwesomePatrol)
  • Support enable-endpoint-routes with enable-high-scale-ipcache. (#25601, @pchaigno)
  • Support GENEVE encapsulation with high-scale ipcache. (#25591, @pchaigno)
  • Update CNI (loopback) to 1.3.0 (#25400, @anfernee)
  • Updating documentation helm values now works also on arm64. (#25422, @jrajahalme)
  • Use BGP Control Plane annotations from Node Resource for creation of CiliumNode Resource (#24914, @margau)

Bugfixes:

  • Add drop notifications for various error paths in the datapath. (#25183, @julianwiedmann)
  • Added validation to ensure that enabling Ingress or Gateway API support while l7proxy is disabled will fail, as this is an incompatible configuration. (#25215, @youngnick)
  • Avoid dropping short packets (that don't have their L3 header in linear data) in the to-netdev and from-host paths. (#25159, @julianwiedmann)
  • bpf,datapath: read jiffies from /proc/schedstat (#25795, @ti-mo)
  • bpf/nat: fix current behavior that is silently ignoring errors in a revSNAT context (#19753, @sahid)
  • bpf: lb: deal with stale rev_nat_index after svc lookup in fallback path (#24757, @julianwiedmann)
  • Compare annotations before discarding CiliumNode updates. (#25465, @LynneD)
  • datapath: Fix double SNAT (#25189, @brb)
  • DNS proxy now always updates the proxy policy to avoid intermittent policy drops. (#25147, @jrajahalme)
  • Fix a bug due to which we would leak Linux XFRM policies, potentially leading to increased CPU consumption, when IPsec is enabled with Azure or ENI IPAM. (#25784, @pchaigno)
  • Fix a bug that would cause connectivity drops of type XfrmInNoStates on upgrade when IPsec is enabled with ENI or Azure IPAM mode. (#25724, @pchaigno)
  • Fix a possible deadlock when using WireGuard transparent encryption. (#25419, @bimmlerd)
  • Fix a regression in which link-local addresses were not treated with the "host" identity in some circumstances. (#25298, @asauber)
  • Fix broken IPv6 access to native node devices due to wrong source IPv6 of NA response. (#25329, @jschwinger233)
  • Fix bug affecting EKS installations with IPsec encryption enabled, where Cilium wouldn't attach its IPsec BPF program to new ENI interfaces, resulting in connectivity loss between pods on remote nodes. (#25744, @joamaki)
  • Fix data race affecting the preferred mark in backends, e.g. backends selected by service with affinity set to local. In very rare cases a backend might be missing its preferred status and a non-local backend might be selected. (#25087, @joamaki)
  • Fix incorrect hubble flow data when HTTP requests contain an x-forwarded-for header by adding an explicit use_remote_address: true config to Envoy HTTP configuration to always use the actual remote address of the incoming connection rather than the value of x-forwarded-for header, which may originate from an untrusted source. This change has no effect on Cilium policy enforcement where the source security identity is always resolved before HTTP headers are parsed. Previous Cilium behavior of not adding x-forwarded-for headers is retained via an explicit skip_xff_append: true config setting, except for Cilium Ingress where the source IP address is now appended to x-forwarded-for header. (#25674, @jrajahalme)
  • Fix missed deletion events when reconnecting to/disconnecting from remote clusters (nodes and services) (#25499, @giorio94)
  • Fix missing drop notifications on conntrack lookup failures when IPv4 and IPv6 are both enabled or socket-level load balancing is disabled. (#25426, @bleggett)
  • Fix operator shutdown hanging when kvstore is enabled (#24979, @giorio94)
  • Fix path asymmetry when using pod-to-pod encryption with IPsec and tunnel mode. (#25440, @pchaigno)
  • Fix permission issue when copying cni plugins onto host path (#24891, @JohnJAS)
  • Fix RevSNAT for ICMPv6 packets. (#25306, @julianwiedmann)
  • Fix spurious errors containing "Failed to map node IP address to allocated ID". (#25222, @bimmlerd)
  • Fix syncing of relevant node annotations into CiliumNode (#25307, @meyskens)
  • Fixes issue in BGP reconciler when multiple pod cidr withdrawals are done. (#25320, @harsimran-pabla)
  • gateway-api: Race condition between routes and Gateway (#25573, @sayboras)
  • gateway-api: Skip reconciliation for non-matching controller routes (#25549, @sayboras)
  • helm: Correct typo in Ingress validation (#25570, @sayboras)
  • Reject incorrect configuration enable-host-legacy-routing=false kube-proxy-replacement=partial. (#25803, @pchaigno)
  • Track reply packets in long-living egress gateway connections and SNATed host-local connections. (#25112, @gentoo-root)

CI Changes:

Misc Changes:

Docker Manifests

cilium

docker.io/cilium/cilium:v1.14.0-snapshot.3@sha256:f0fd212111143ec56fa0a51a6140be96dca40ab8e207dc52aa88d44d395abf81
quay.io/cilium/cilium:v1.14.0-snapshot.3@sha256:f0fd212111143ec56fa0a51a6140be96dca40ab8e207dc52aa88d44d395abf81

clustermesh-apiserver

docker.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.3@sha256:8bcfae32ece9db19d72de00f34f9b59fa2ebe00b33c4f8ed504a1994921d23cf
quay.io/cilium/clustermesh-apiserver:v1.14.0-snapshot.3@sha256:8bcfae32ece9db19d72de00f34f9b59fa2ebe00b33c4f8ed504a1994921d23cf

docker-plugin

docker.io/cilium/docker-plugin:v1.14.0-snapshot.3@sha256:db65fe9a63d8cf2ee2ee54da277d2174762f08e4efcf7c6806863dc9c02f74e3
quay.io/cilium/docker-plugin:v1.14.0-snapshot.3@sha256:db65fe9a63d8cf2ee2ee54da277d2174762f08e4efcf7c6806863dc9c02f74e3

hubble-relay

docker.io/cilium/hubble-relay:v1.14.0-snapshot.3@sha256:27e6b77b5cea7826a8fb5fbf720663123cee58f951d1bc41e8cf51eb1684c2ac
quay.io/cilium/hubble-relay:v1.14.0-snapshot.3@sha256:27e6b77b5cea7826a8fb5fbf720663123cee58f951d1bc41e8cf51eb1684c2ac

operator-alibabacloud

docker.io/cilium/operator-alibabacloud:v1.14.0-snapshot.3@sha256:e8ff4b580de9672f2e17e4f305283300af3f493e41e8d39026067c797caf6cde
quay.io/cilium/operator-alibabacloud:v1.14.0-snapshot.3@sha256:e8ff4b580de9672f2e17e4f305283300af3f493e41e8d39026067c797caf6cde

operator-aws

docker.io/cilium/operator-aws:v1.14.0-snapshot.3@sha256:281292efcd7a80dfc63269f6301f20e877ad9821befb6f0970fed3c3f4cf344e
quay.io/cilium/operator-aws:v1.14.0-snapshot.3@sha256:281292efcd7a80dfc63269f6301f20e877ad9821befb6f0970fed3c3f4cf344e

operator-azure

docker.io/cilium/operator-azure:v1.14.0-snapshot.3@sha256:b44660fcbe7f593986466011ea083e0a7c1efd1690df68e302aca86d7d18c02d
quay.io/cilium/operator-azure:v1.14.0-snapshot.3@sha256:b44660fcbe7f593986466011ea083e0a7c1efd1690df68e302aca86d7d18c02d

operator-generic

docker.io/cilium/operator-generic:v1.14.0-snapshot.3@sha256:c714d7d535afbcb70d930b07127f74401e0bf1a444981c4b50f6b268b7e12d73
quay.io/cilium/operator-generic:v1.14.0-snapshot.3@sha256:c714d7d535afbcb70d930b07127f74401e0bf1a444981c4b50f6b268b7e12d73

operator

docker.io/cilium/operator:v1.14.0-snapshot.3@sha256:62217676c80688e60d43b59d32830f1389f9433df8971e665b8576899a4f4043
quay.io/cilium/operator:v1.14.0-snapshot.3@sha256:62217676c80688e60d43b59d32830f1389f9433df8971e665b8576899a4f4043